cisco ASA 5505-NAT

Hi guys,
I'm using cisco ASA 5505 and I'm trying to configure nating between two hosts. I already configured the NAT and I used pinging to make sure that my NAT configuration between two hosts works but unfortunately, it is still not working "I mean sending traffic from host A to host B and reverse". I posted the configuration below, Could you please help me to solve this problem and make the pinging work between two hosts?

If you have a static nat as configured above, this means that any traffic from 10.3.3.20 will look like its coming from 10.4.4.10 when it sends traffic to hosts outside the ASA. This configuration will not allow 10.3.3.20 to ping 10.4.4.10. If you would like this to work, remove the static nat. This will then allow 10.3.3.20 to be natted to 10.4.4.1 on the outside and communicate with 10.4.4.10.

Incidentally, there are various odd things about your configuraiton.
Firstly, access list lines permitting 0.0.0.0 255.255.255.0 are not valid.
Secondly, your inside and outside interfaces are set with the same security level. This is not good practice, and partially defies the point of having an ASA.
Thirdly, you don't need access lists for both directions of both interfaces, this just significantly complicates matters. I would recommend one for traffic coming into the inside interface and one for traffic coming into the outside interface. I have noticed that only one of these access lists is applied which is why it is not causing you any problems at the moment.
Fourthly, your route statement is meaningless as its next hop is the ASAs own interface. If you want to route out to the internet or any other networks, the next hop needs to be another router on the 10.4.4.0 network that can then route to other networks.

>and I'm trying to configure nating between two hosts
What two hosts?
You have natted 10.4.4.10 to 10.3.3.20 which means there is only one host. What is the other host?
You could disable nat-control, allow same security traffic inter-interface and basically turn the asa into a router.

Based on the configuration above and the IP addresses supplied, this should work from A to B but it will not work the other way round because access list outside_access_in is only allowing echo reply traffic, and the dynamic nat would not allow this anyway.

Is host 10.4.4.4 responding to pings from another host in the same subnet? Is there any firewall on this PC that could be blocking ICMP? Windows firewall, if enabled will block icmp by default.

Why are you using an ASA for this, and why are you natting at all? It would make the config much simpler if you just routed between the subnets, and this would allow bidirectional traffic. As it is, without specific one to one nats, hosts on 10.4.4.0 won't be able to send traffic to 10.3.3.0 hosts.

This would also be achieved more simply with a plain old router or layer 3 switch. I would recommend keeping the ASA for an edge firewall role.

Hi cstosgale,
yes I just pinged from host A to Host B and it is working now, but the other way (from Host B to A) it is not working. I stiil didn't change my configuration above. What would you suggest to me to do now?

If you just want two way communicaiton between the networks on either side of the ASA, and both networks are internal, I would recommend removing the NAT configuraiton altogether. This is the easiest way to allow bidirectional communication.

Having said that, if that is all you need, there isn't really much point in using an ASA, a much simpler router or layer 3 switch would do as good a job. If both subnets are internal to your LAN, I would recommend using a catalyst 3560 or similar. Out of the box this will route between VLANs, and you can control traffic between the two using access lists.

If you already have a switch, and you just need to route between vlans present on s switch, you can pick up an old 2600 series router off ebay that would do this just fine.

Hi guys,
I appreciate your cooperation with me. In fact, I have to use nating with ASA 5505 between two hosts, because this is part of my work I must do it. I can not remove my nating configuration. So, I'll show you my currnt configuration below. what I want you guys if you don't mind, I want you to show me step-by-step how can two hosts A and B are communcated each other. "I mean Host A should ping Host B and Host B should ping Host A". One side is working now which is form host A to host B, but the other side is not working.
as I mentioned above.
IP host of A --> 10.3.3.8 and IP default-gateway --> 10.3.3.1
IP host of B --> 10.4.4.5 and IP default-gateway --> 10.4.4.1

Thank you so much. Now the two hosts are working.
I have two questions: Do I have to keep those following commands in my configuration:
static (inside,outside) 10.4.4.10 10.3.3.10 netmask 255.255.255.255
access-list outside_access_in extended permit ip host 10.4.4.20 host 10.4.4.10

Depends on why you have that static and if host 10.4.4.20 needs to communicate with 10.3.3.10
If you want host A to have internet access too, then we have a totally different scenario, but since the outside interface is a private 10.4.4.x ip address, then I assume all nat is taking place at the next hop gateway and that nat gateway should be configured to allow host 10.3.3.8 out and NAT it appropriately.

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

No, you can remove them as they are not related to the communication between the two hosts.
The second line is meaningless, as router will never see traffic from 10.4.4.20 to 10.4.4.10

In order to get host A to the internet, 10.4.4.10 will need to have a route to the internet, as this is the default route on the ASA. There will also need to be a device natting to the to the internet from the 10.4.4.0 range as this is a private ip range.

Thnak you guys. I have another question regarding to static command. If host A is 10.3.3.8 and host B is 10.4.4.5 and these hosts are communcating to each other in terms of the modification on my configuration as follow:
static (inside,outside) 10.3.3.8 10.3.3.8 netmask 255.255.255.255
access-list outside_access_in extended permit icmp host 10.4.4.5 host 10.3.3.8

My question is how if host A is changed and becomes 10.3.3.9 instead of 10.3.3.8 or host B is changed and becomes 10.4.4.6 .. Are these commands with my current configuration above going to work between host A and host B and between host B and host A even host A is chenged under IP 10.3.3.x or host B changed under IP 10.4.4.x ?

How if I don't want to use static NAT to specify each IP address. I want to use some kind of NAT that I don't have to specify each IP address when ip address changes automatically, could you tell me what the commands I should use to keep my configuration without changing?

You would need to disable NAT in order to provide this functionality! If you want traffic to flow between any addresses in the two subnets, the only real viable solution is to disable NAT. What is the reason you need to keep nat enabled between the 10.4.4.0 and the 10.3.3.0 networks? If you are able to tell me the reason I may be able to advise you a better way of achieving the configuration you want.

The reason is I'm working on cisco ASA 5505. One of the parts I must do is NAT because my professor needs nating between two hosts and they have to ping each other. I have done with one way which is pinging from Host A to Host B. In fact, I did the two ways, unfortunately my configuration was wrong, because he needs nating from A to B on the same subnet to see the nating. So, I have to figure out the other way from B to A on the same subnet. In addition, I may configure VPN client later. Therefore, this is the reason why I'm using nating. Would you mind helping me to do the other way "B to A" on the subnet of A for example: if A --> 10.3.3.9 and B -->10.4.4.6 If I pinged B by A it will be "ping 10.4.4.6" the original IP address. the remote address will be radomly like 10.4.4.2 . So by this way the prof. will see the nating is working.

Hi guys ,
I'm still having a problem in my nat configuration especially, when I pinged host B by host A. It was working as I said before but it the gost B it was not responding to ping from host A in the same subnet.
So, my configuration currently is not pinging between two hosts Could you please look at my configuration and guide me to solve my configuration problem? "I appreciate your working with me"

as we have already stated you cannot ping host a from host b in this configuration as you have a static nat between the two devices:-

static (inside,outside) 10.4.4.3 10.3.3.3 netmask 255.255.255.255

NAT replaces one ip with another as the packets go through the ASA. Therefore as far as the ASA is concerned, 10.4.4.3 and 10.3.3.3 are the same host.

Is you proffessor trying to teach you about networking / cisco configuration? If so he is he is not making a very good job of it. Either that or you have completely misunderstood what he is asking you to do.

the purpose of NAT is to allow multiple private IPs to talk to the internet via a single public ip. In this configuration, the private IPs are not accessible e.g. pingable from the outside world. A static NAT like the one above is used to give a server a public address on the internet using a one to one mapping.

On your ASA above, the 10.4.4.0 subnet are effectively your public addresses and the 10.3.3.0 subnet the internal range. 10.3.3.3 would be your server which you are giving the public ip 10.4.4.3

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…

Tired of waiting for your show or movie to load? Are buffering issues a constant problem with your internet connection? Check this article out to see if these simple adjustments are the solution for you.

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…